Handling AccessDenied with Method Level Security

Question

i have a method secured with spring security as follows:

@PreAuthorize(\"hasRole(\'add_user\')\")
public void addUser(User user) ;

and if a

Answer 1

Spring Security redirect to the access denied page just when the user don't have authorization to access the resource. This is, when the user is authenticated but doesn't have the allowed roles.

But when the problem is not authorization, but authentication, Spring Security redirects to the login page (to let the user authenticate himself/herself), not to the access denied page.

As you have a rule checking for "isAuthenticated()" in the rules, you won't be redirected to the access denied page, but to the login page.

Hope it helps.